Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through 3.0.36, as used in the SMB subsystem in Apple Mac OS X 10.5.8 when Windows File Sharing is enabled, Fedora 11, and other operating systems, does not properly handle errors in resolving pathnames, which allows remote authenticated users to bypass intended sharing restrictions, and read, create, or modify files, in certain circumstances involving user accounts that lack home directories.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Samba | Samba | 3.0.12 (including) | 3.0.12 (including) |
| Samba | Samba | 3.0.13 (including) | 3.0.13 (including) |
| Samba | Samba | 3.0.14 (including) | 3.0.14 (including) |
| Samba | Samba | 3.0.14a (including) | 3.0.14a (including) |
| Samba | Samba | 3.0.15 (including) | 3.0.15 (including) |
| Samba | Samba | 3.0.16 (including) | 3.0.16 (including) |
| Samba | Samba | 3.0.17 (including) | 3.0.17 (including) |
| Samba | Samba | 3.0.18 (including) | 3.0.18 (including) |
| Samba | Samba | 3.0.19 (including) | 3.0.19 (including) |
| Samba | Samba | 3.0.20 (including) | 3.0.20 (including) |
| Samba | Samba | 3.0.20a (including) | 3.0.20a (including) |
| Samba | Samba | 3.0.20b (including) | 3.0.20b (including) |
| Samba | Samba | 3.0.21 (including) | 3.0.21 (including) |
| Samba | Samba | 3.0.21a (including) | 3.0.21a (including) |
| Samba | Samba | 3.0.21b (including) | 3.0.21b (including) |
| Samba | Samba | 3.0.21c (including) | 3.0.21c (including) |
| Samba | Samba | 3.0.22 (including) | 3.0.22 (including) |
| Samba | Samba | 3.0.23 (including) | 3.0.23 (including) |
| Samba | Samba | 3.0.23a (including) | 3.0.23a (including) |
| Samba | Samba | 3.0.23b (including) | 3.0.23b (including) |
| Samba | Samba | 3.0.23c (including) | 3.0.23c (including) |
| Samba | Samba | 3.0.23d (including) | 3.0.23d (including) |
| Samba | Samba | 3.0.24 (including) | 3.0.24 (including) |
| Samba | Samba | 3.0.25 (including) | 3.0.25 (including) |
| Samba | Samba | 3.0.25-pre1 (including) | 3.0.25-pre1 (including) |
| Samba | Samba | 3.0.25-pre2 (including) | 3.0.25-pre2 (including) |
| Samba | Samba | 3.0.25-rc1 (including) | 3.0.25-rc1 (including) |
| Samba | Samba | 3.0.25-rc2 (including) | 3.0.25-rc2 (including) |
| Samba | Samba | 3.0.25-rc3 (including) | 3.0.25-rc3 (including) |
| Samba | Samba | 3.0.25a (including) | 3.0.25a (including) |
| Samba | Samba | 3.0.25b (including) | 3.0.25b (including) |
| Samba | Samba | 3.0.25c (including) | 3.0.25c (including) |
| Samba | Samba | 3.0.26 (including) | 3.0.26 (including) |
| Samba | Samba | 3.0.26a (including) | 3.0.26a (including) |
| Samba | Samba | 3.0.27 (including) | 3.0.27 (including) |
| Samba | Samba | 3.0.27a (including) | 3.0.27a (including) |
| Samba | Samba | 3.0.28 (including) | 3.0.28 (including) |
| Samba | Samba | 3.0.28a (including) | 3.0.28a (including) |
| Samba | Samba | 3.0.29 (including) | 3.0.29 (including) |
| Samba | Samba | 3.0.30 (including) | 3.0.30 (including) |
| Samba | Samba | 3.0.31 (including) | 3.0.31 (including) |
| Samba | Samba | 3.0.32 (including) | 3.0.32 (including) |
| Samba | Samba | 3.0.33 (including) | 3.0.33 (including) |
| Samba | Samba | 3.0.34 (including) | 3.0.34 (including) |
| Samba | Samba | 3.0.35 (including) | 3.0.35 (including) |
| Samba | Samba | 3.0.36 (including) | 3.0.36 (including) |
| Samba | Samba | 3.2 (including) | 3.2 (including) |
| Samba | Samba | 3.2.0 (including) | 3.2.0 (including) |
| Samba | Samba | 3.2.1 (including) | 3.2.1 (including) |
| Samba | Samba | 3.2.2 (including) | 3.2.2 (including) |
| Samba | Samba | 3.2.3 (including) | 3.2.3 (including) |
| Samba | Samba | 3.2.4 (including) | 3.2.4 (including) |
| Samba | Samba | 3.2.5 (including) | 3.2.5 (including) |
| Samba | Samba | 3.2.6 (including) | 3.2.6 (including) |
| Samba | Samba | 3.2.7 (including) | 3.2.7 (including) |
| Samba | Samba | 3.2.8 (including) | 3.2.8 (including) |
| Samba | Samba | 3.2.9 (including) | 3.2.9 (including) |
| Samba | Samba | 3.2.10 (including) | 3.2.10 (including) |
| Samba | Samba | 3.2.11 (including) | 3.2.11 (including) |
| Samba | Samba | 3.2.12 (including) | 3.2.12 (including) |
| Samba | Samba | 3.2.13 (including) | 3.2.13 (including) |
| Samba | Samba | 3.2.14 (including) | 3.2.14 (including) |
| Samba | Samba | 3.2.15 (including) | 3.2.15 (including) |
| Samba | Samba | 3.3 (including) | 3.3 (including) |
| Samba | Samba | 3.3.0 (including) | 3.3.0 (including) |
| Samba | Samba | 3.3.1 (including) | 3.3.1 (including) |
| Samba | Samba | 3.3.2 (including) | 3.3.2 (including) |
| Samba | Samba | 3.3.3 (including) | 3.3.3 (including) |
| Samba | Samba | 3.3.4 (including) | 3.3.4 (including) |
| Samba | Samba | 3.3.5 (including) | 3.3.5 (including) |
| Samba | Samba | 3.3.6 (including) | 3.3.6 (including) |
| Samba | Samba | 3.3.7 (including) | 3.3.7 (including) |
| Samba | Samba | 3.4 (including) | 3.4 (including) |
| Samba | Samba | 3.4.0 (including) | 3.4.0 (including) |
| Samba | Samba | 3.4.1 (including) | 3.4.1 (including) |
| Red Hat Enterprise Linux 4 | RedHat | samba-0:3.0.33-0.18.el4_8 | * |
| Red Hat Enterprise Linux 5 | RedHat | samba-0:3.0.33-3.15.el5_4 | * |
| Supplementary for Red Hat Enterprise Linux 5 | RedHat | samba3x-0:3.3.8-0.46.el5 | * |
| Samba | Ubuntu | dapper | * |
| Samba | Ubuntu | devel | * |
| Samba | Ubuntu | hardy | * |
| Samba | Ubuntu | intrepid | * |
| Samba | Ubuntu | jaunty | * |
References
- http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
- http://marc.info/?l=bugtraq\u0026m=126514298313071\u0026w=2
- http://news.samba.org/releases/3.0.37/
- http://news.samba.org/releases/3.2.15/
- http://news.samba.org/releases/3.3.8/
- http://news.samba.org/releases/3.4.2/
- http://osvdb.org/57955
- http://secunia.com/advisories/36701
- http://secunia.com/advisories/36893
- http://secunia.com/advisories/36918
- http://secunia.com/advisories/36937
- http://secunia.com/advisories/36953
- http://secunia.com/advisories/37428
- http://slackware.com/security/viewer.php?l=slackware-security\u0026y=2009\u0026m=slackware-security.561439
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021111.1-1
- http://support.apple.com/kb/HT3865
- http://wiki.rpath.com/Advisories:rPSA-2009-0145
- http://www.samba.org/samba/security/CVE-2009-2813.html
- http://www.securityfocus.com/archive/1/507856/100/0/threaded
- http://www.securityfocus.com/bid/36363
- http://www.ubuntu.com/usn/USN-839-1
- http://www.vupen.com/english/advisories/2009/2810
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53174
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7211
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7257
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7791
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9191
- https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00095.html
- https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00098.html
- http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
- http://marc.info/?l=bugtraq\u0026m=126514298313071\u0026w=2
- http://news.samba.org/releases/3.0.37/
- http://news.samba.org/releases/3.2.15/
- http://news.samba.org/releases/3.3.8/
- http://news.samba.org/releases/3.4.2/
- http://osvdb.org/57955
- http://secunia.com/advisories/36701
- http://secunia.com/advisories/36893
- http://secunia.com/advisories/36918
- http://secunia.com/advisories/36937
- http://secunia.com/advisories/36953
- http://secunia.com/advisories/37428
- http://slackware.com/security/viewer.php?l=slackware-security\u0026y=2009\u0026m=slackware-security.561439
- http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021111.1-1
- http://support.apple.com/kb/HT3865
- http://wiki.rpath.com/Advisories:rPSA-2009-0145
- http://www.samba.org/samba/security/CVE-2009-2813.html
- http://www.securityfocus.com/archive/1/507856/100/0/threaded
- http://www.securityfocus.com/bid/36363
- http://www.ubuntu.com/usn/USN-839-1
- http://www.vupen.com/english/advisories/2009/2810
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53174
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7211
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7257
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7791
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9191
- https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00095.html
- https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00098.html